setsockopt has a small list of options it can set. If we find ourselves

only in TAME_UNIX, stop trying after servicing SOL_SOCKET.
discussion with claudio

diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index fc36a71..cc3e92a 100644 (file)
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_tame.c,v 1.68 2015/10/08 13:21:06 deraadt Exp $  */
+/*     $OpenBSD: kern_tame.c,v 1.69 2015/10/08 13:25:04 deraadt Exp $  */
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -1083,6 +1083,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
        if ((p->p_p->ps_flags & PS_TAMED) == 0)
                return (0);
 
+       /* common case for TAME_UNIX and TAME_INET */
        switch (level) {
        case SOL_SOCKET:
                switch (optname) {
@@ -1090,6 +1091,12 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
                        return (EPERM);
                }
                return (0);
+       }
+
+       if ((p->p_p->ps_tame & TAME_INET) == 0)
+               return (EPERM);
+
+       switch (level) {
        case IPPROTO_TCP:
                switch (optname) {
                case TCP_NODELAY: